IP Addr Comparison

[Alan DeKok]

On May 31, 2024, at 10:48 AM, BOUILLOUD Corentin <cbouilloud at systra.com> wrote:
> I would like to ask your help about IP address comparisons in FreeRADIUS 3.0.27.
> I want to restrict a mac-address to a network, but comparison of ip address with a subnet doesn't seems to work as a check items :
> 
> 11-22-33-44-55-66       NAS-IP-Address < 192.168.8.0/22
> /etc/freeradius/3.0/authorized_macs[10]: Parse error (check) for entry 11-22-33-44-55-66: Invalid IPv4 mask length "/22".  Only "/32" permitted for non-prefix types

  Try putting the net mask in quotes.

	11-22-33-44-55-66       NAS-IP-Address < "192.168.8.0/22"

> Yet, documentation says it should be possible.
> 
> "The syntax allows conditions such as 192.0.2.1 < 192.0.2/24.
> This condition will return true, as the IP address 192.0.2.1' is within the network `192.0.2/24."

  Unfortunately the unlang parsing is slightly different from (and more capable than) the "users" file parsing.

> I also tried casting the attribute, without success :
> 
> 11-22-33-44-55-66       <ipaddr>NAS-IP-Address < "192.168.8.0/22"
> /etc/freeradius/3.0/authorized_macs[10]: Parse error (check) for entry 11-22-33-44-55-66: Invalid attribute name

  The "users" file parsing doesn't support casting.

  We're fixing that in v4 (of course).

> Do user files have a different behaviour for comparisons and casting ?

  Yes.

> I could use regex as a backup solution but it's quickly going to get difficult to read in the file :
> 
> 11-22-33-44-55-66      NAS-IP-Address =~ "/^192\.168\.(8|9|10|11)\./"

  Or, just put the address/mask into quotes.

  Alan DeKok.